[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: tag2upload's support of pristine-tar missing and potential regression in upstream signature verification (Re: Include git commit id and git tree id in *.changes files when uploading?)

Hi!

...
> > The issue https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106071#40
> > seems to have ended in only a documentation update in
> > https://salsa.debian.org/dgit-team/dgit/-/merge_requests/264
> >
> > It would be a pity if we lose the ability to verify detached OpenPGP
> > signatures for the upstreams that do publish both orig.tar.gz and
> > orig.tar.gz.asc. Currently the ability to cryptographically verify
> > authenticity of the upstream sources in a single operation for a lot
> > of packages significantly decreases the amount of files that have to
> > be diffed when auditing what was modified in Debian vs. original
> > upstream.
> >
> > I know your end goal is to stop using tarballs completely and just
> > import git commits directly from upstream, but I think we still need
> > to retain real original .orig.tar.gz tarballs for a some years more
> > until 100% of upstreams use git and 100% of Debian packaging git
> > repositories have the debian/latest branch on top of a real upstream
> > release branch so Debian changes can be diffed in relation to upstream
> > release commits.
> >
> > Having everyone use tag2upload obviously helps ensure that what was
> > uploaded, and what is in git, stays in sync. The metadata allows to
> > check the chain between the Debian archive and the Debian packaging
> > git repo, but we should not make it harder to check the link between
> > Debian and upstream in the process by obsoleting upstream orig.tar.gz
> > in the process.
>
> People should either stop using pristine-tar, and make use of the
> end-to-end trust path from upstream git tags to the archive that is
> provided by tag2upload, or someone should do the work to fix #1106071.
> It's all scoped out and ready.

Good to hear you don't actively object to this feature but just want
somebody else to take on developing it.

It would be nice to have tag2upload support upstream detached
signatures, in particular as tag2upload does not support including the
upstream release tags and their signatures either. Sure, one can still
correlate match ids, and one can always resort to just downloading all
files and diffing them, but since some upstreams take the extra effort
to sign their git tags or publish orig.tar.gz.asc files or equivalent
signatures, it would be nice to actually be able to use them and not
just ignore that they exist.
Reply to: